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@ Safety monitor. 

@ A monitor .system for safety critical situations such as 
burner control receives at inputs 17-21 control information from 
a programmable logic control and reference information at 
inputs 12-16 from plant interlocks. This information passes via 
opto-isolators 40 and buffers 41 to the address bus of an 
EPROM so as to access information stored therein which 
normally mirrors the PLC information so as to control relays 
RL1-5 via drivers 46 to conform to the PLC instructions. The 
EPROM also contains reset and clock information for use by a 
counter 48 which allows different areas within the EPROM to be 
accessed. The reset information is also available to a parity 
check circuit 49 via oscillator 46 for dynamically testing the 
monitor for integrity of operation. Failure of the PLC or monitor 
components will cause access to shutdown addresses of the 
EPROM and operation of the appropriate relays including 
lockout relay RL6. 
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each stage of the burner sequence. If there is a 
discrepancy, appropriate action can be initiated. 

If the high air purge is less than the minimum time 
then power will be taken off T1 before it can time out, 
so the check input will not go high. The check input 5 
can be used as a clocking condition, so that if 
incorrect timing results, the EPROM is accessed at 
the wrong location, and shutdown will result. 

This is illustrated in Figure 17. Here, because the 
check input has not gone high, the EPROM will not 10 
be stepped on. This has therefore checked the 
length of the purge. 

The next time that can be checked is the pilot 
ignition time to confirm it does not exceed 5 
seconds. Figure 18 shows the effect of an extended 15 
pilot ignition time. The ignition is on at the same time 
as the check input which means the pilot ignition 
period has exceeded 5 seconds. 

This address can be pre-programmed as dis- 
allowed in the EPROM, and can contain a shutdown 20 
instruction. If the pilot ignition period is less than 5 
seconds then the address word would be allowed, 
as shown in Figure 16. 

The Main ignition time can be checked on timer T3 
as seen from Figure 16. This timer is energised when 25 
the main valve output is energised and will then time 
out after 5 seconds, by which time the pilot should 
have been extinguished. However, if the pilot stays 
on for longer than 5 seconds, then when timer T3 
times out, the pilot output will still be energised. This 30 
is shown in Figure 19. This can be pre-programmed 
as a disallowed address and so contain a shutdown 
instruction. 

This configuration has thus checked the purge 
time, pilot ignition time and the Main ignition time. 35 

The timers can be configured by standard preset . 
solid state timers. If any timer should fail then any 
error will be picked up by the check input of the 
EPROM address line and appropriate action insti- 
gated. 40 

The EPROM used in the monitor system can be 
pre-programmed with data at its various locations 
using standard techniques or by the use of a short 
program. 



Claims 

1 . A monitor system for monitoring a micro- 50 
processor based control device in safety critical 
situations, said system including :- 

first input means for receiving control informa- 
tion from the microprocessor based control 
device; 55 
second input means for receiving reference 
information also received by said control de- 
vice; 

means for determining whether the control 
information from said device corresponds to 60 
that expected in view of the reference informa- 
tion, and means for overriding the control 
information if any error in this control informa- 
tion is detected. 

2. A system as claimed in claim, wherein the 65 



determining means includes a memory for 
storing binary data accessable in dependence 
on information received from the first and 
second input means. 

3. A system as claimed in claim 2, wherein the 
memory comprises a ROM for receiving infor- 
mation derived from the control device and said 
reference information so as to address loca- 
tions therein. 

4. A system as claimed in claim 2 or 3, 
wherein the memory is configured to contain 
information mirroring the control device infor- 
mation and to contain overriding information, 
the information mirroring the control device 
information being located at addresses ac- 
cessible during normal operation of the control 
device and the overriding information being 
located at addresses accessible during an error 
phase of the control device. 

5. A system as claimed in claim 4, including 
selector means, and wherein the memory has 
sufficient capacity to store additional sequenc- 
ing information for receipt by the selector 
means to cause different memory areas to be 
made available to the control device information 
and reference information. 

6. A system as claimed in claim 5, wherein the 
selector means includes a counter, and wherein 
feedback means are provided from the data bus 
of said memory to reset or increment the 
counter in dependence on preprogrammable 
instructions within selected memory storage 
locations. 

7. A system as claimed in any of one of 
claims 2 to 6, wherein the first and second input 
means include opto-isolators for electrically 
isolating the inputs and including buffers for 
converting the inputs to a level suitable for the 
address bus of the memory. 

8. A system as claimed in any one of claims 2 
to 7, wherein the second input means are 
configured to receive thermostat, air status 
input and flame presence information from a 
burner device. 

9. A system as claimed in any one of claims 2 
to 8, wherein the first input means is configured 
to receive fan, ignition, pilot, main, nd alarm 
information from the control device for burner 
control. 

10. A system as claimed in any one of claims 1 
to 9, including checking means provided to 
ensure the integrity of the monitor system is 
maintained. 

11. A system as claimed in claim 10, wherein 
the checking means include a dynamically 
operable check circuit for continually checking 
system integrity. 

12. A system as claimed in claim 1 1, including a 
controllable oscillator for dynamically exercis- 
ing the parity of the check circuit and a lockout 
device for initiating operational lockout in the 
event of a detected failure. 

13. A system as claimed in claim 12, wherein 
the oscillator is controlled by an output pro- 
vided by the determining means. 
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14. A system as claimed In claim 12 or 13, 
including at least one relay and a relay operating 
circuit under the control of a signal derived from 
the oscillator to establish the integrity of the at 
least one relay. 5 

15. A system as claimed in claim 14, wherein 
the at least one relay includes a bistable lockout 
relay having a first coil operable to a lockout 
condition on receipt of an error detection signal 

from the parity check circuit, said relay being 10 
resettable by means of a second coil. 

16. A system as claimed in any preceding 
claim, including relay means operable in de- 
pendence on an output derived from the 
determining means to interrupt the passage of 15 
control information from the control device to a 
remote location. 

17. A system as claimed in claim 16, wherein 
the relay means are operable to by-pass the 
monitor in the event of monitor failure. 20 

18. A system as claimed in any preceding 
claim, including timer means operable to pro- 
vide reference sequencing information for use 
by the determining means. 

19. A monitor system for monitoring a micro- 25 
processor based control device substantially as 
described herein with reference to the accom- 
panying drawings. 
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